securing sshd
Erik Norgaard
norgaard at locolomo.org
Sun Mar 21 09:39:49 UTC 2010
On 21/03/10 02:27, Peter wrote:
> On the same line, portknocking with pf:
Port knocking suck:
If you have to knock a single time on the secret port you might just
have no added security at all, could be that the port scanner first
knocked on the secret port then on the ssh port.
If you have to knock multiple times on the secret port, same thing,
usually when you scan for open ports, multiple packets are sent in case
of packet loss. You can't use timing between packets because this may
change on the path. Yet you do need to implement timeouts to avoid a
halfway knocked sequence.
If you have to knock various ports, you can't rely on packets arriving
in a particular sequence. And even if you did, the port scanner might
just get that order right. If your secret is to knock port 1234 and then
port 2345 nmap might do just that when scanning ports 0-10000. And if
the secret is the reverse order, again, nmap might just do that because
multiple packets are sent to each port.
If you require more than a single knock you have to monitor also for
wrong knocks or a simple nmap scan may be just sufficient to expose your
server as in the example above.
A port knock or port knock sequence is a shared password that cannot be
encrypted. Since there is no previous user identification the knocking
is the same for all users. It's not encrypted because the secret is in
the port number you knock. This is possibly the worst kind of secret you
can manage.
If you find yourself thinking you need port knocking, then your
passwords are not strong enough. It is far better to use longer and more
complex passwords: They are individual for each user and encrypted.
Then you have the problem of monitoring established connections to flush
the tables once a session is terminated.
Port knocking adds complexity to your server, meaning more things can go
wrong, and adding yet another attack vector for the intruder. Having a
script to automatically update a live rule set is a recipe for disaster.
It's as unuserfriendly and impractical as it gets:
The more ports you have to knock the higher the probability that some
packets will be filtered when you're behind somebody else's firewall.
You can be most certain that you can't convince the admin of some
corporate network to open up for your port knocking.
Because of the build in stealth you have no way of knowing if packets
are dropped or filtered. And the user will have to accept a delay for
your port knocking script to update the rules.
You add complexity for the user, now they have your special port
knocking client, know the secret, on top of carrying around their
private ssh keys etc.
Port knocking suck at security: It does not solve a single existing
problem but introduces a host of other problems. Use it at home for
playing around and learning about protocols and stuff, but please don't
give people the illusion that their security problems will be solved
with port knocking.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
More information about the freebsd-questions
mailing list